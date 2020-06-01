A critical bug was reportedly found in Apple’s ‘Sign in with Apple’ by an Indian developer who was rewarded with $100,000 (roughly Rs 75 lakh). The bug was linked to third-party apps that used the Sign in with Apple and did not implement additional security measures.

Researcher Bhavuk Jain found the bug and reported to Apple through the company’s bounty program. According to The Hacker News, the now-fixed bug potentially allowed attackers to bypass the authentication on the client-side and take over targeted user accounts on third-party apps that used the ‘Sign in with Apple’ feature.

For the uninitiated, Apple launched ‘Sign in with Apple’ in 2019 as a privacy-focused feature that allowed users to securely log into a supported website or a third-party app without disclosing their email ID and other personal details.

The service’s authentication process consists of the server generating a JSON Web Token (JWT) that contains secret information that the third-party application uses to confirm the identity of the signing-in user.

Jain stated that although Apple asks users to log in to their Apple account before initiating the request, it was not validating if the same person is requesting JSON Web Token (JWT) in the next step from its authentication server. The missing validation could have allowed an attacker to provide a separate Apple ID belonging to a victim, tricking Apple servers into generating JWT payload that was valid to sign in into the third-party service with the victim's identity.

He further claimed that vulnerability worked even if the user chose to hide their email ID from third-party services and can also be exploited to sign up a new account with the victim's Apple ID.

"The impact of this vulnerability was quite critical as it could have allowed a full account takeover. Many developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple - Dropbox, Spotify, Airbnb, Giphy," Jain added.

Though the vulnerability existed on the Apple side of code, the researcher said it's possible that some services and app offering 'Sign in with Apple' to their users might have already been using a second factor of authentication that could mitigate the issue for their users.

Apple acknowledged the bug and is said to have fixed it. The company also investigated and confirmed that the flaw did not exploit or compromise any account.



